diff options
author | Young Xiao <92siuyang@gmail.com> | 2019-05-29 16:10:59 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-05-30 12:32:47 -0700 |
commit | 9609dad263f8bea347f41fddca29353dbf8a7d37 (patch) | |
tree | b902b6acddb4cb880224265ce6d95f1513874d0b | |
parent | 62851d71e771e4fc099de16bb27f696c343516d9 (diff) | |
download | linux-stable-9609dad263f8bea347f41fddca29353dbf8a7d37.tar.gz linux-stable-9609dad263f8bea347f41fddca29353dbf8a7d37.tar.bz2 linux-stable-9609dad263f8bea347f41fddca29353dbf8a7d37.zip |
ipv4: tcp_input: fix stack out of bounds when parsing TCP options.
The TCP option parsing routines in tcp_parse_options function could
read one byte out of the buffer of the TCP options.
1 while (length > 0) {
2 int opcode = *ptr++;
3 int opsize;
4
5 switch (opcode) {
6 case TCPOPT_EOL:
7 return;
8 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
9 length--;
10 continue;
11 default:
12 opsize = *ptr++; //out of bound access
If length = 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.
Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.
Signed-off-by: Young Xiao <92siuyang@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/tcp_input.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index c61edd023b35..08a477e74cf3 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3791,6 +3791,8 @@ void tcp_parse_options(const struct net *net, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return; |